anint

Micos

# SPACE SHUTTLE

MAIN ENGINE CONTROLLER ASSEMBLY PHASE C-D

# Quarterly Progress Report

28 May 1973 - 9 September 1973

(NASA-CR-1359M7) SPACE SHUTTLE MAIN N74-10721 INGINE CONTROLLER ASSEMBLY, PHASE C-D Quarterly Frogress Report, 28 May - 9 Sep. 1973 (Honeywell, Inc.) -117 p HC Unclas \$8.00



2770-3024

# Honeywell

Government and Aeronautical Products Division

Document No. W2101-QPR-3-73

21 September 1973

# SPACE SHUTTLE Main Engine Controller Assembly Phase C-D

QUARTERLY PROGRESS REPORT 27 May 1973 - 9 September 1973

Submitted to: Rocketdyne Division Rockwell International Corporation

Per:
Rocketdyne Contract No. R20SPA550031
Data Procurement Document No. 900001 Data Requirement Document No. 55-M-004

2770-3024

#### FOREWORD

This is the sixth quarterly progress report submitted in response to Data Requirement 55-M-006 of Contract R20SPA550031. It is a progress status report of work performed by Honeywell as a subcontractor to Rocketdyne Division of Rockwell International Corporation. Honeywell is responsible for the Phase C-D design and development of the Space Shuttle Main Engine (SSME) Controller Assembly. This report covers the period 27 May through 9 September 1973.

## - iii -

# CONTENTS

|             | •                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Page                                                                                                                                |
|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| SECTION I   | SUMMARY                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 1                                                                                                                                   |
| SECTION II  | ANALYSIS AND DESIGN                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 7                                                                                                                                   |
| SECTION II  | Schedule Technical Problems Thermal Design System Power Printed Wiring Board Screening Tests Weight System Design Current Controller Configuration System Design Studies System Specifications Control System Analysis and Simulation Design Verification Program Hardware Design Computer Interface Electronics (CIE) Input Electronics Output Electronics Power Supply Electronics Engineering Model (EM) Simulation Interface Adapter (SIA) Controller Mechanical Design Digital Computer Unit GSE/FTE Design Command and Data Simulator (C&DS) Controller Memory Programmer Controller Checkout Console (CCC) Factory Test Equipment (FTE) Software Design Memory Size and Process Time Operational Program Requirements | 7<br>8<br>9<br>12<br>13<br>13<br>14<br>16<br>58<br>61<br>62<br>64<br>65<br>68<br>70<br>72<br>77<br>79<br>79<br>80<br>81<br>81<br>82 |
|             | Operational Program Design<br>Controller Acceptance Test (CATP) Program                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 8 <b>2</b><br>85                                                                                                                    |
|             | Requirements<br>Controller Acceptance Test Program Design<br>Computer Acceptance Test Program (CMTP)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 85<br>85                                                                                                                            |
| SECTION III | MANUFACTURING                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 87                                                                                                                                  |
|             | Controller Activation Schedule Production Control/Flow Charts Milestone Chart                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 87<br>87<br>87<br>90                                                                                                                |

|             | Digital Computer Unit Activation Schedule Production GSE, FTE                                                                                            | 90<br>90<br>91<br>92                          |
|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|
| SECTION IV  | QUALITY ASSURANCE                                                                                                                                        | 97                                            |
| f           | Controller Accomplishments Significant Problems Hardware, Process, and Procurement Plans Digital Computer Unit                                           | 97<br>97<br>98<br>98<br>99                    |
| SECTION V   | RELIABILITY                                                                                                                                              | 101                                           |
|             | Controller Test Monitoring Design Reviews FMECA Nonconformance Reporting Parts Management Schedule Digital Computer Unit                                 | 101<br>101<br>101<br>102<br>103<br>103<br>104 |
| SECTION VI  | MAINTAINABILITY                                                                                                                                          | 107                                           |
|             | Maintainability Analysis and Prediction<br>Maintainability Verification<br>Support Hardware Recommendations                                              | 107<br>107<br>107                             |
| SECTION VII | SYSTEM SAFETY                                                                                                                                            | 109                                           |
|             | General Status Quantity of Catastrophic or Critical Hazardous Conditions                                                                                 | 109<br>109                                    |
|             | Hazardous Condition Summary Accident/Incident Review System Safety Hazards Analyses System Safety Plan Design Reviews Changes with Safety-Related Impact | 109<br>109<br>110<br>110<br>110               |

# ILLUSTRATIONS

| Figure |                                                                    | Page |  |  |
|--------|--------------------------------------------------------------------|------|--|--|
| 1      | SSME Controller Assembly Master Milestone Schedule                 | 2    |  |  |
| 2      | SSME Controller Assembly Program Schedule                          | 3    |  |  |
| 3      | 3 Input Power Requirements - Steady-State (Start Preparation)      |      |  |  |
| 4      | Engine Electrical Power Profile                                    | 11   |  |  |
| 5      | OPV Servoactuator Failures at NPL                                  | 22   |  |  |
| 6      | OPV Servoactuator Failures at MPL                                  | 23   |  |  |
| 7      | FPV Servoactuator Failures at NPL                                  | 24   |  |  |
| . 8    | FPV Servoactuator Failures at MPL                                  | 25   |  |  |
| 9      | MOV Servoactuator Failures at MPL                                  | 26   |  |  |
| 10     | Servoactuator Block Diagram                                        | 31   |  |  |
| 11     | Step Commands (+5 degrees)                                         | 32   |  |  |
| 12     | Smooth and Staircase Ramp Commands (200%/sec)                      | 33   |  |  |
| 13     | Staircase Ramp Commands - Effects of Different<br>Ramp Rates       | 35   |  |  |
| 14     | Staircase Ramp Commands (200%/sec) Effects of Input Lag Filter     | 36   |  |  |
| 15     | SSME Controller Assembly Block Diagram                             | 39   |  |  |
| 16     | OPV Servoactuator Failures at MPL (Engine Sensitivity)             | 43   |  |  |
| 17     | Open-Loop OPOV Steps at MPL (Engine Sensitivity)                   | 44   |  |  |
| 18     | MR Step Response with 0.5 Percent Backlash                         | 50   |  |  |
| 19     | MR Step Response with 1.0 Percent Backlash                         | 51   |  |  |
| 20     | MR Step Response with 1.0 Percent Backlash Valves 1/5 Nominal Gain | 52   |  |  |

| 21 | Thrust Step Response with 1.0 Percent Backlash                              | 54 |
|----|-----------------------------------------------------------------------------|----|
| 22 | Thrust Step Response with 1.0 Percent Backlash<br>Valves 1/5 Nominal Gain   | 55 |
| 23 | Thrust Range Response at Off-Nominal MR Command<br>Levels                   | 57 |
| 24 | Preferred Crystal Oscillator Circuit                                        | 64 |
| 25 | Partial Block Diagram of Power Supply Circuitry                             | 67 |
| 26 | Engineering Model Controller                                                | 69 |
| 27 | Simulation Interface Adapter                                                | 71 |
| 28 | Controller Case Inboard, Outboard and Cover<br>Assemblies                   | 73 |
| 29 | Controller Case                                                             | 74 |
| 30 | Circuit Board and Grids                                                     | 75 |
| 31 | Circuit Boards and Foam Pack Parts for Structural<br>Model DVS Tests        | 76 |
| 32 | Operational Program Memory Size Requirements                                | 83 |
| 33 | Operational Program Process Time Requirements                               | 84 |
| 34 | Combined Milestone Chart for Activation Schedule for Delivery of PP-1 Model | 88 |
| 35 | Line-of-Balance Chart for Fabrication of PP-1 Model                         | 89 |
| 36 | Controller Checkout Console                                                 | 93 |
| 37 | Command and Data Simulator System                                           | 95 |

# SECTION I

The program schedule status has improved in some areas, worsened in others, and continues to receive full attention. The program baseline is shown in Figure 1 and a summary of the actual status is shown in Figure 2. More comprehensive schedule information is given in the Logic Networks and Key Milestone Charts submitted under Rocketdyne Data Requirements 55-M-007.

System design and system analysis and simulation continue slightly behind schedule, while design verification testing has improved. Input/output circuit design has improved, but digital computer unit (DCU) and mechanical design continue to lag. Part procurement has been impacted by delays in printed-circuit board assembly drawing releases. These are the result of problems in generating suitable printed-circuit artwork for the very complex and high-density multilayer boards.

Previously reported schedule recovery efforts have proved effective and functional and integration testing of engineering model EM-1 is projected for completion by the 1 October 1973 target date. The schedule position of BT-1 has also improved, but projected late DCU deliveries present a potential problem. The schedule position of PP-1 is jeopardized by this and by the late design releases, and a vigorous schedule recovery effort is being applied here also.

The ability of the controller to operate continuously in the most severe operating modes was demonstrated by simulation runs on a thermal math model of the complete assembly. The model is being updated and new runs will be performed to predict the improvements derived from new power profiles.



Figure 1. SSME Controller Assembly Master Milestone Schedule



Figure 2. SSME Controller Assembly Program Schedule

Detailed models of selected subassemblies are also being prepared to determine component temperatures.

Thermal screening tests were completed on multilayer printed-wiring boards. Small cracks detected in the solder joints for transistor leads indicated the need for improvements in parts mounting, process, and workmanship techniques. A plan of action has been established to effect the required changes prior to formal Design Verification Specification (DVS) testing.

All hardware and elements of engineering model EM-1 with the exception of power supplies have been integrated and functional testing is in process. On 1 October 1973, integration with the real-time simulation will begin.

Nineteen Design Verification Test Procedures were submitted, and work was completed on 14 out of 19 design verification tests in process during the period. Twelve test reports were completed and submitted.

Design documentation for EM-1 was completed and release of PP-1 documentation was begun. The printed-wiring board component density and the number of board layers are greater than anticipated. The resulting problems in programming and mechanizing these more complex subassemblies in the automated graphics systems has resulted in delays in board documentation, and schedule recovery action is being implemented. Printed-wiring board vendors have been extending delivery promises and procurement action is being taken to improve delivery.

Parts for the structural thermal model (STM) have been fabricated and assembly has started.

Memory plated-wire equipment was certified to produce wire that meets the temperature operating range of Shuttle environments. Memory planes were produced and keeper plating accomplished with excellent yield results on the

initial lot. Six out of six planes were accepted through plating as contrasted to less than 50 percent yield of planes through keeper plating on past programs.

The GSE Preliminary Design Review (PDR) was completed.

Build of the in-house command and data simulator (C&DS) was completed and checkout and debug is being performed on the hardware and the executive software.

The first computer checkout console (CCC) was completed and is being used to support EM-1. Unit 2 to be used and shipped for BT-1 is in checkout, and unit 3 is in build.

# PRECEDING PAGE BLANK NOT FILMED

- 7 -

## SECTION II ANALYSIS AND DESIGN

#### SCHEDULE

The schedule position of the Analysis and Design activities ranges from onschedule to 8 weeks behind. The most critical items are production prototype-printed wiring board drawing releases with a negative slack of 7 weeks for the Input/Output Assembly boards and 6 weeks for the DCU. The delays are primarily a result of problems in initial programming and mechanization of the automated graphics systems needed to produce the high-density multilayer space shuttle boards. An intensive effort is under way to accelerate releases and to recover some of the negative slack.

The power supply design is also 8 weeks behind schedule due to modifications being performed to improve the efficiency and voltage regulation. Nominally this represents an 8-week impact on Engineering Model EM-1, but this has been circumvented through the use of substitute commercial power supplies until the Space Shuttle design is available.

#### TECHNICAL PROBLEMS

#### Thermal Design

Simulation runs were performed on an updated thermal math model as noted in the prior quarterly report and were published in Thermal Study Report W2101-TSR, dated 18 June 1973. The updated model reflected revised and less severe environmental temperature conditions and improvements in the controller thermal design.

Three runs were made at different power dissipation conditions within the controller. The runs predicted that the controller may be operated continuously in either the ground checkout standby mode or the modular checkout mode, provided compartment air and well temperatures do not exceed 95°F and the engine temperatures do not exceed 100°F. The predicted internal temperature rise on circuit cards was reduced by the increased card-to-partition conductance achieved through foil-wrapped foam grids in the foam pack assemblies. The runs also predicted up to 7°F over temperature at the power supply rectifier-filter diode junctions during the propellant drop and chilldown portion of the start-preparation operating mode. The power supply design will be directed toward correcting this condition.

Subsequent to issuance of the Thermal Study Report, the controller power dissipation and power dissipation time lines were updated to reflect new data provided by Rocketdyne in SPSCN-20 to RC1007, Rev. D.

The math model was again updated to reflect the new data and simulation runs will be performed to determine the impact of these parameter changes on the controller temperatures. The runs will cover the following conditions:

• Steady-state standby mode @ 95°F ambient and 100°F engine

- Start preparation, sequences 1 through 4
- Steady-state flight-readiness test in sequence 4 mode @ 95°F ambient and 100°F engine

Significant reductions in controller internal temperatures are anticipated.

Detailed math models are also being created for the power supply/driver assembly and selected circuit boards. Simulation runs will be performed in September to investigate component temperatures.

#### System Power

The power-reporting basis was changed during the reporting period to more closely relate to the critical power dissipation conditions in the thermal analysis. This new basis includes allowances for leak detector circuits, spare on/off solenoid valves, and component variations. The basis also reflects the condition of maximum controller assembly internal power dissipation which, except for a few seconds during engine start, occurs in the start preparation phase. The start preparation phase is most critical to controller operation because it may continue for an indefinite period.

In Figure 3, the predicted input power of 693 watts is compared with the 700-watt limit proposed in Rocketdyne letter ROM-CA3-305. The predicted controller internal power dissipation is also given. The proposed engine electrical power profile is shown in Figure 4.



Figure 3. Input Power Requirements - Steady-State (Start Preparation)





Figure 4. Engine Electrical Power Profile

#### Printed Wiring Board Screening Tests

Multilayer Printed Wiring Board (PWB) thermal screening tests were completed by the Aerospace Division. These tests were performed to evaluate PWB Board integrity, solder joints on typical components, and memory plane integrity, and were conducted on typical Aero and G&APD populated boards. Test report DVSTR No. 002 dated 30 August 1973 was transmitted by Aero to G&APD. An addendum dated 31 August 1973 was prepared by G&APD and the complete test report package was presented to NASA/Rocket-dyne at Florida on 5 September 1973.

The test results revealed heat cracks on some of the solder points where the transistor leads entered the joint. Based upon an analysis of the solder joints and component mountings, and upon a critique by the NASA soldering committee, a plan of action was established to prove the design and to test alternative solutions. The plan includes test boards as similar as possible to the final design, built and inspected to defined documentation. The plan also encompasses improved stress relief in component leads, workmanship standards, operator training, wave soldering techniques, parts mounting and handling techniques, and thermal overlay effects. A total of eight board assemblies representing four different configurations will be tested, with a goal of completing the tests by the start of PP-1 build.

## Weight

Weight reporting on the controller has been changed to a monthly basis via Customer Engineering Letter (CEL 3-SSEC-236). The current weight has increased to 197.2 pounds as a result of structural and thermal improvement and power supply design maturity.

#### SYSTEM DESIGN

Significant milestones reached during this period were the initiation and completion of a significant portion of the system functional and integration testing on EM-1. Testing has progressed according to plan, and the 1 October 1973 completion date for functional testing should be met in spite of a late start.

Initial system testing on EM-1 was started 9 August 1973 using a simple functional channel of electronics consisting of the following:

- A single DCU and associated computer interface electronics
- A single channel of output electronics
- Three channels of input electronics

As of 7 September, the redundant channels were all added, so that the EM-1 unit is complete with the exception of power supplies. Laboratory power supplies are being used in the interim until the EM-1 supply is available.

Testing to date has included a satisfactory functional check of all controller hardware, with the exception of the channel B output electronics. That test will be completed by 12 September. The hardware functional testing has been done with simple program elements to facilitate testing. As hardware testing is completed on 12 September, the initial version of the Controller Acceptance Test Program will be loaded and software testing initiated.

# Current Controller Configuration

The system mechanization is basically unchanged from that previously reported. A revision of the input electronics write control logic was made, however, to remove a potential single point failure source.

#### System Design Studies

Considerable attention was given during this period to studies of failure simulations and to means of alleviating concerns resulting from these studies.

Failure simulation studies regarding the actuation system determined that allowable response times to detection and correction of failures are marginal and that actuator position monitoring requirements are very stringent. Methods of achieving a satisfactory failure response time were devised for all propellant control values except the OPV. Because of an unsuitably high engine sensitivity to actuator position, it appears that the response time of the fail operate torque motor valves alone exceeds that necessary to adequately respond to OPV failures. Any solution devised by Rocketdyne for the high engine sensitivity should help this condition, however. Honeywell plans to propose changes to the RC1010 requirements in the near future to effect the failsafe performance improvements mentioned above. These proposed changes will also cover software revisions which will remove a potential single point failure resulting from a failed failsafe valve having shorted turns.

A review of the self-test mechanization was made to determine if areas exist where the software timing requirements might be eased. Two improvements were devised which save a total of about 0.3 to 0.4 millesecond. This includes deletion of power supply monitoring inflight (it is retained for ground checkout) and a revision of the power-off timer test routine. Details of these changes were provided to Rocketdyne via CEL.

#### System Specifications

A number of additional SPSCNs were received from Rocketdyne during this period. Current controller requirements are defined in the following specifications and SPSCN's:

- RC1007 Rev D plus SPSCNs 013,015,003,006,010,004,008,011,016,017,019,023,009R,032,033,002,012
- RC1009 Rev. E plus SPSCNs 001,002,003,005,006
- RC1010 Rev D plus SPSCNs 002,010,011,001,005
- RC00001 Rev E plus Amendment 3

Honeywell system requirements specifications presently in effect are:

- HRS 24402-01 Rev. B
- HRS 24403-01 Rev. C
- DS 24405-01 Rev. F

### Control System Analysis and Simulation

## Servoactuator Failure Mode Study --

Summary -- The effects of servoactuator failures at their valves and positional pick-offs were observed using the 231R/Sigma-5 engine/controller simulation. Study results allowed two generalized conclusions to be made:

- The analog monitor, which is concerned with failures at the servoamplifiers, servovalves, servovalve models, LVDTs, etc., adequately detects and corrects for failures in its domain under most conditions.
- 2) The actuator tracking technique of RC1010, which is concerned with failures at the servoactuators, RVDTs with their associated electronics, etc., is unsatisfactory for detecting and correcting failures at the servoactuator outputs.

Conclusions and Recommendations -- These conclusions and recommendations for improvement will require both hardware and software changes:

1) Failures in the servoactuator system which positions the OPV are critical and can be remedied only by Engine System Changes. Failures to servoactuator systems that position the other four propellant valves (FPV, MFV, MOV, CCV) can be handled adequately if the recommended changes given here are adopted.

- 2) A reduction in the error action level (EAL) of the analog monitor, currently set at 50 percent of servovalve spool displacement, is desirable if design is not compromised, but is not necessary. However, a reduction is recommended if the actuator tracking EAL is reduced to less than 5 percent. The importance of these two EALs whose ratio must not exceed 10, is that it assures that failures associated with the servovalve will be detected and corrected by the analog monitor rather than the actuator tracking software downstream, a potentially serious situation.
- 3) Rewrite Paragraph 3.2.1.1.7.1 of RC1010 so that each indicated servoactuator position error is treated and acted upon individually. If an active channel failure is confirmed, command switchover to the standby channel. If a standby channel failure is confirmed, update the appropriate flag in the data tables so that a failure in the active channel will command failsafe mode. On switchover from a confirmed active channel failure to the standby channel, delay actuator tracking sampling of it for two nominal computation cycles so that the actuator, having possibly been driven well away from its trim position by the failure, can return and reduce the tracking error to less than the 5 percent EAL, thereby avoiding a single-point failure situation.
- 4) Excessive servoactuator rate capability and high control effectiveness of the preburner propellant valves (OPV and FPV), especially at or near minimum power levels (MPL), contribute to failsafety problems. These are beyond the design responsibility of Honeywell and may well be justified as is. However, either some relief must be obtained here or the problems at MPL must be dismissed as not important based on projected engine duty cycles.

<u>Discussion</u> -- Failures can occur in two general areas of the servoactuator loops: those associated with the servovalves and their electronics, and those at the servoactuator outputs. Failure monitoring is two-stage: an analog monitor concerned with failures near the servovalves, and actuator tracking using software methods.

While there is no requirement that each monitoring stage detect and correct for failures within its immediate domain, such a requirement appears desirable from failsafety considerations. Further discussion of this point is made later in this section.

Five specific failure types were used in the study. At the servovalves, step valve displacement hangups both less and greater than the EAL of 50-percent spool displacement were used. These were applied in both directions so that positioning of the servoactuator tended to open and close the propellant valves. At the actuator outputs, RVDTs and their associated electronics were failed in three ways: minimum, maximum, and 50-percent outputs.

If item 3 of the Conclusions and Recommendations section is adopted, failures in the servoactuator loops for the FPV, MFV, MOV and CCV propellant valves can be safely handled. It will take something like the modification in Item 4 to safely handle failures in the OPV actuator loop.

OPV actuator loop failures cause two kinds of problems. A failure which tends to close the OPV at MPL depresses the main chamber pressure to seriously low levels. Nominally at 50 percent this critical engine parameter can trigger engine shutdown if it reaches 40 percent. Similarly, at EPL where the main chamber pressure is nominally 109 percent, a failure tending to open the OPV can drive this pressure up to 114 percent and cause shutdown. Perhaps these failures can be tolerated if the shutdown limits are expanded. But a more

serious problem occurs when a failure tends to open the OPV while at MPL. Oxidizer propellant is ported into the preburner chamber where a fuel-rich mixture exists. Before the failure is detected, verified, and switched out, the preburner temperature is beyond its limit. One of two things can happen: either a shutdown occurs (the temperature is a critical engine-limit parameter), or temperature override is selected (under conditions not intended for it) in the controller and both preburner valves are closed, the temperature error closing the OPV and the crossfeed term closing the FPV. Of course, until the faulty channel is removed, neither of these can occur. In the meantime the computer continues to compute engine thrust and mixture ratio but the validity of these calculations is questionable. The best that can happen here is a shutdown, since the possibility of a flight hazard exists.

A satisfactory solution to handling OPV actuator loop failures may cause other problems. Lowering the actuator tracking EAL looks promising until the matter of an increased ratio of EALs is examined closely. Suppose the actuator tracking EAL is lowered to 2.5 percent, raising the ratio to 20, twice the recommended value. If a failure at the servovalve now occurs, of a kind that is not immediately detected by the analog monitor, the actuator tracking software will have to respond. But the failure will cause both RVDTs to display identical values. When the computed actuator position is compared with these, both look like failures and a single-point failure situation is apparent.

The objective here is to reduce the amount of time it takes for a failed channel to be detected, verified, and switched out. This can be demonstrated by removing all solenoid and sampling delays. Of course, this is no solution, but it appears that an attempt to minimize the time to get rid of a failed channel is not going to solve the problem.

An alternative suggests itself here. As long as there is little that can be done to speed up switching out a failed channel, try instead to minimize the disturbance the failure causes. This can be done by reducing the rate capability of the servoactuators.

Table 1 contains the maximum servoactuator rates required to handle legitimate controller commands. But the major propellant valve actuators (MFV and MOV) are specified at maximum rates of 370 percent per second and the minor propellant valve actuators (FPV, OPV, CCV) and 305 percent per second (see Table 1, RC1008).

Table 1. Maximum Controller-Commanded
Actuator Rates

| A ctuator | Peak Actuator Rates Commanded |                      |  |
|-----------|-------------------------------|----------------------|--|
| 11Ctuator | Mainstage                     | Startup and Shutdown |  |
| FPV       | 40                            | 150                  |  |
| OPV       | 40                            | 150                  |  |
| CCV       | 100                           | 100                  |  |
| MFV       | 60                            | 150                  |  |
| MOV       | 55                            | 100                  |  |

This excessive rate capability adds to the severity of the engine disturbance during failures, and reduced rate capability for at least the preburner valve actuators should be recommended. There may be good reasons for not reducing rates via mechanical or hydraulic changes to the servoactuators, but the job could be done electronically by limiting the servoamplifier outputs so that any command, legitimate or illegitimate (failures), could not command rates exceeding 150 percent per second. Such limiting would restrict the violence of all RVDT failures plus those failures near the servovalves except mechanical failures to the servovalves themselves. This last unchecked

failure is undesirable but nothing short of reduced OPV effectiveness will eliminate it.

The fact that the most severe failure problems occur at low engine thrust levels hints at a way to rationalize them away. Engine duty cycles for typical missions would probably show the engine at low thrust levels for a low percentage of the time. MPL then becomes a very brief transitory condition on the way to either startup or shutdown.

Results -- The time histories contained in Figures 5 through 9 are separated into two sets. Each strip in a set has a number which identifies the particular failure type. These failure types are:

- Servovalve step hangup, less than the EAL of the analog monitor, positions actuator so that propellant valve tends to open
- 2) Same as 1 except that propellant valve tends to close
- 3) RVDT output goes to maximum value
- 4) RVDT output goes to minimum value

The eight parameters in the set at the left, starting at the top of the Figures are:

1 and 2 - The differential errors (DE) the analog monitor sees in Channels A and B. This is the differential sum of the servovalve and its model. When the sum equals or exceeds the monitor EAL, currently set at 50 percent of spool travel,



Figure 5. OPV Servoactuator Failures at NPL



Figure 6. OPV Servoactuator Failures at MPL



Figure 7. FPV Servoactuator Failures at NPL



Figure 8. FPV Servoactuator Failures at MPL



Figure 9. MOV Servoactuator Failures at MPL

for at least two milliseconds, the analog monitor sends an interrupt to the computer.

- 3 and 4 The differential errors the computer generates by comparing the computed actuator position with each RVDT displayed position. When either of these equals or exceeds the tracking EAL, currently set 5 percent equivalent actuator displacement, the computer enters 200-Hz cycling to test the indicated failure.
- 5 and 6 Discretes that indicate completion of switchout of faulty A channel, or recognizing (or switchout of) faulty B channel.
- A discrete that indicates the completion of switchout of a second failure and putting engine into pneumatic shutdown.
- Engine thrust.

The parameters in the set at the right, starting at the top of the Figures, are:

- 1) Preburner temperature, "fuel-side" of engine
- 2) Preburner temperature, "oxidizer-side" of engine
- 3) Shaft speed, high-pressure fuel turbopump
- 4) Shaft speed, high-pressure oxidizer turbopump
- 5) Main combustion chamber pressure
- 6) System thrust error
- 7) System mixture ration error
- 8) Engine thrust

The first five items in the second set are engine-limit-control shutdown parameters. It is not known what limit level these parameters will be compared with (see Table VI, RC1007 for range of values), but servoactuator failures cause transient disturbances to these parameters. Whatever the limit settings, failsafety mode operation must be quick enough to avoid excessive transients in them.

The timer for the time histories is at the lower edge of the strips. Each tick is 20 milliseconds.

The selection of propellant valve axes and engine power levels for the servo-actuator failures given in Figures 5 through 9 was dictated by two considerations. These were, first, to choose conditions where failures are most likely to cause problems and, second, to illustrate graphically how the servoactuator failsafety system operates. Using the first of these eliminated the main fuel (MFV) and coolant control (CCV) propellant valves at all engine thrust levels and the main oxidizer valve (MOV) at high engine thrust. The failsafety system operated well in removing failures in these circumstances while keeping engine transients to minor or insignificant levels.

A review of Figures 5 through 9 demonstrates that while engine transients are significant, failures in the FPV and MOV axes are corrected satisfactorily. It is in Figures 5 and 6, which deal with failures in the OPV axis, that fail-safety problems persist. Figure 5, with the engine at 100 percent of thrust, seems to indicate that failures are adequately handled, but this is a bit deceptive. Failures numbered 5 and 8, which tend to open the OPV, generate transients which put some of the critical engine shutdown parameters close to triggering levels. With the engine at EPL (109 percent, not included in the Figures), a shutdown is even more likely. In a similar way, failures 2 and 4, which tend to close the OPV, reduce main chamber pressure (P<sub>C</sub>) close to shutdown level (see Figure 6). It is not known at what levels the engine-limit shutdown parameters will be set, but Table IV, RC1007, contains a range

of values for each. The limit levels shown on the extreme right borders of Figures 5 and 6 are as follows: TFP is 2250°R, TOP is 2400°R, SF2 is 4000 rpm, SO2 is 35000 rpm, and  $P_c$  is 40 percent and 112 percent.

A more difficult problem of handling a failure is illustrated in Figure 6. At low engine thrust levels, failures that then open the OPV (1 and 4) cannot be switched out quickly enough to avoid a shutdown, either through an apparent single-point failure or triggering an engine-limit parameter. The response labeled 1A demonstrates what quickness can do. It is the repeat of the response labeled 1, except that the 12-millisecond solenoid switching time was removed. This small saving of time, (which, of course, is no solution to the problem), is sufficient to permit both switchout of the failed channel and control recovery from the disturbance.

The RVDT failure labeled 4 (see Figure 6) does not generate differential errors in the analog monitor so the actuator tracking software will respond. The accumulated delays here are much more severe, i.e., no priority interrupt, failure verification is required, and the solenoid switchout time. This particular failure is so rapid and disruptive that a basic change in the sensitivity of the OPV must be considered. Such a change is beyond Honeywell design responsibility.

The importance of the ratio of EALs has been emphasized previously. Failures labeled 1 and 2 in all the Figures can be used to make this point. For example, in Figure 5 it is clear that the analog monitor is responsible for the detection and switchout of the failure. (Note that the monitor DE reaches its EAL of 50 percent spool travel before either of the tracking DEs reach their EAL of 5 percent actuator displacement.) But this type of failure affects the actuator output also, and both A and B actuator tracking differential errors reach approximately 2.5 percent, or half, of their EAL. Suppose that it is possible to lower the tracking EAL to 2.5 percent, a beneficial change. If this is done, then failure types like 1 and 2 could slip by the analog monitor (that is, the

tracking EAL will be reached before the analog monitor EAL) and be interpreted by the system as a single-point failure. To avoid this, any reduction in the actuator tracking EAL must be accomplished by a reduction in the analog monitor EAL. (The converse of this is not true.) The conclusion to be drawn here is that the ratio of EALs must be maintained at a value not to exceed the current value of 10.

## Servo Actuator Analog Study --

Summary -- A brief analog study was performed on the servo actuators used to position the SSME propellant valves. The purpose of the study was to examine the effects of various inputs (step and ramp commands) on the servo valve monitor and nonlinearities such as stiction and backlash.

The servo actuator performed well with no nuisance tripping of the servo valve monitor. The effects of the system on the complete engine and controller system is beyond the scope of the study.

Background -- Figure 10 represents the block diagram used to simulate the servo actuator system on a PACE 231R analog computer (No. C13). The broken line shows the modification necessary to obtain computer runs with the nonlinearities (stiction and backlash) inside the servo/actuator loop. It is currently believed that the nonlinearities lie outside the loop. Comparisons of the two nonlinearity configurations, along with runs with no nonlinearities, can be seen in both Figures 11 and 12.

Only the fuel preburner oxidizer valve was investigated in this study which, from previous analysis, appears to be the most sensitive servo actuator as far as tripping the servovalve monitor is concerned.

Results -- Figure 11 shows results of  $\pm 5$ -degree step commands ( $\pm 6.25\%$ ). This input is unrealistically large because even at maximum commands



Figure 10. Servoactuator Block Diagram



Figure 11. Step Commands (+5 degrees)



Figure 12. Smooth and Staircase Ramp Commands (200%/sec)

(305%/sec) the digital ramp, or "staircase", command will be comprised of steps no larger than 4.88 deg. Maximum input rates of 200%/sec is more realistic. The only significant effect of the nonlinearities is the hangoff in Output position error  $\theta_{\epsilon}$  (due to the linkage hysteresis) amounting to 0.3 to 0.4 degrees. This hangoff is not seen by the servovalve monitor, but could adversely affect the system performance. The peak voltage error at the comparator  $V_{\epsilon}$  is only 2 volts and 6.25 volts are required to trip the monitor (for 2 ms).

Figure 12 shows more comparisons of runs with no nonlinearities, inside and outside the servo loop. The same conclusions can be made as in Figure 11 concerning hangoff position error  $(\theta_\varepsilon)$  and the servovalve comparator voltage error  $(V_\varepsilon)$ . Also compared in the figure is the staircase input (expected from the digital computer) against the nonrealistic smooth ramp input. Although the staircase commands do not present any problems in the servovalve monitor, they may cause problems in total system performance.

Figure 13 shows the effects of various ramp rates for the staircase commands on the servo/actuator and monitor. As expected, the smaller the ramp rate, the smaller the measured effects.

Figure 14 shows what happens when the input command is lagged. This tends to smooth out the steps of the staircase input but at the expense of slowing down the system if and when quick response is required.

This study did not consider engine performance since the engine and controller are not included in the simulation.

## Engine/Controller Frequency Response per RL00001 Revision E --

<u>Summary</u> -- Stability margins for the RL00001 Revision E engine/ controller were determined at selected points in the operational envelope,

a. Max rate (305 %/eec)



Figure 13. Staircase Ramp Commands - Effects of Different Ramp Rates



Figure 14. Staircase Ramp Commands (200%/sec) Effects of Input Lag Filter

using the digital KNOVOL program. Minimum gain margins thus obtained are 10db for the thrust loop and 18db for the MR loop. Phase margins exceed 60 deg for both loops. These values are well within the design goals of 8db gain margin and 45 deg phase margin. The gain and phase margins obtained from this study are summarized in Table 2.

Table 2. Gain and Phase Margins

| Control<br>Loop | Power<br>Setting | Nominal<br>MR | Forcing Function                   | Gain<br>Margin<br>(db) | Phase<br>Margin<br>(deg) |
|-----------------|------------------|---------------|------------------------------------|------------------------|--------------------------|
| Thrust          | NPL              | 6.0           | 2%(A/A)OPV Decrease                | 14                     | 90                       |
| Thrust          | NPL              | 6.0           | 2%(A/A)OPV Increase                | 12                     | 84                       |
| Thrust          | MPL              | 6.0           | 2%(A/A)OPV Decrease                | 19                     | 90                       |
| Thrust          | MPL              | 6.0           | 2%(A/A)OPV Increase                | 11                     | 82                       |
| MR              | NPL              | 6.0           | 2%(A/A)FPV Decrease                | 21                     | 90                       |
| MR              | NPL              | 6.0           | 2%(A/A) <sub>FPV</sub> increase    | 23                     | 85                       |
| MR              | MPL              | 6.0           | 2%(A/A) <sub>FPV</sub> Decrease    | 25                     | 60                       |
| MR              | MPL              | 6.0           | 2%(A/A)FPV Increase                | 28                     | 80                       |
| Thrust          | MPL              | 6. 5          | 0.5%(X/X)OPV Increase              | 12                     | 60                       |
| MR              | MPL              | 6.5           | 1%(X/X)FPV Increase                | 21                     | 85                       |
| Thrust          | NPL              | 6,5           | 1%(X/X)OPV Decrease                | 10                     | 60                       |
| MR              | NPL              | 6.5           | 1%(X/X) <sub>FPV</sub> Decrease    | 18                     | 90                       |
| Thrust          | MPL              | 5.5           | 0.5%(X/X)OPV Increase              | 15                     | 65                       |
| MR              | MPL              | 5. 5          | 1%(X/\(\overline{X}\))FPV Decrease | 28                     | 90                       |
| Thrust          | NPL              | 5.5           | 1%(X/X)OPVDecrease                 | 13                     | 85                       |
| MR              | NPL              | 5, 5          | 2%(X/X)FPV Decrease                | 25                     | 90                       |

<u>Discussion</u> -- Two simulations were used in obtaining the above information. The data at MR = 6.0 was obtained from the PACE 231R/Sigma 5 simulation prior to switchover to the verification simulation on the PACE 700/Sigma 5 equipment. Data at MRs of 5.5 and 6.5 was then obtained from the latter equipment.

It should be noted that the two sets of data were obtained from the simulations using different forcing functions. The 231R (MR = 6) data has valve area steps as the input function while the 700 (MR = 5.5, 6.5) data has valve position steps as the input function. The above difference results in the open-loop gain of the two sets of data being different by the displacement to area gain of the propellant valves.

The controller configuration used in these studies is shown in Figure 15 and Table 3.

Frequency Responses for MR = 6.0 (231R Data) -- An oxidizer preburner valve area step was used to force the thrust loop, and the fuel preburner valve area step forced the MR loop. The loop not being forced was closed so that the responses were of the augmented engine. Gain and phase margins are obtained by adding the appropriate controller and engine response plots and observing the phase angle at the point of unit (0db) loop gain, for the phase margin, and noting the loop gain at the point where the total phase angle is 180 deg.

Frequency Responses at MR = 6.5 and 5.5 (PACE 700 Data) -- This data was obtained in a similar manner to the 231R data except displacement rather than area steps were used. It should be noted that the phase angle on these responses is in error by 180 deg due to a programming discrepancy.



Figure 15. SSME Controller Assembly Block Diagram

| Control Loop                                                                                    | Thrust Control                                                                            | Mixture Ratio<br>Control                                                                                          | Temperature Limit<br>Control                                                                                                             |
|-------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| Sensor: Type Response Feedback Compensation Forward Loop Compensation                           | 1 Pressure > 600 rad/sec  None 2 0.45 x 10 <sup>-3</sup> (S/15 + 1) * Stroke 1b-sec       | 8  Turbine flowmeters  > 200 rad/sec first order  None  9  -30 (S/33.3 + 1)                                       | Temperature resistance bulb  0.5 sec first order  (S/1.66 + 1) (S/12.5 + 1)  Product of boxes 2 and 15: E'/E = 105(1 + ABS(E/100)) lb/°R |
| and NPL Gain<br>Sample Rate<br>Output Range                                                     | 50 samples/sec                                                                            | 50 samples/sec                                                                                                    | 50 samples/sec                                                                                                                           |
| Gain Coefficient At NPL and Above At MPL and Below Linear with Thrust Level Between MPL and NPL | (3) K <sub>3</sub> 1, 0 0, 6                                                              | 1.0<br>0.25                                                                                                       | None                                                                                                                                     |
| Control Limits Range Rate                                                                       | 480 lb/msec maximum                                                                       | 6,0 at EPL<br>5.5 - 6.5 NPL to MPL<br>1 MRU/sec maximum                                                           | Nominal reference temperatures:<br>1895°R - FPV<br>2040°R - OPV                                                                          |
| Crossfeed Gain At NPL and Above At MPL and Below Linear with Thrust Level Between MPL and NPL   | 5 K <sub>5</sub> 1.1                                                                      | None                                                                                                              | None                                                                                                                                     |
| Valve Position Control Response                                                                 | Oxidizer preburner Oxidizer valve  75 <sup>2</sup> S <sup>2</sup> + 75S + 75 <sup>2</sup> | Fuel preburner oxidizer valve $ \frac{75^{2}}{S^{2} + 75S + 75^{2}} \xrightarrow{\text{$\sharp$ Stroke}} Stroke $ | None                                                                                                                                     |
| Error Select Logic ·                                                                            | Logic selects and transmits most negative error signals received                          | None                                                                                                              | See thrust error select logic                                                                                                            |

Table 3. Key to Figure 15, SSME Controller Assembly Block Diagram

Engine Sensitivity to Preburner Propellant Valve Motion -- Current studies at Honeywell indicate that the preburner propellant valves have an excessively high engine control sensitivity at minimum power level (MPL). This high sensitivity results in problems with possible premature engine failure due to the oxygen preburner valve (OPV) and potentially poor mixture ratio control definition due to the fuel preburner valve (FPV).

## Oxygen Preburner Valve Failures --

Summary -- The studies at Honeywell on the engine system simulations indicate that the current engine definition has a high risk of premature failure during servoactuator malfunction. Specifically failures of the oxygen preburner propellant valve (OPV) servoactuator which cause slewing in the opening direction, at minimum power level, cause the oxygen preburner temperature to exceed 5000 degrees Rankine. In Figure 16, traces 1 and 4 demonstrate the reaction of the engine to the above mentioned type of failure. The open-loop test runs of Figure 17 point out two significant aspects of the engine operation at minimum power level. The first is that it takes less than 2 percent step in the OPV valve to cause the oxygen preburner to go above 5000°R temperature. The second is that the deep throttling schedule requirements of the main oxidizer valve, at low power levels, is a major contributor to the problem.

Modifications to the engine system definition in the following areas will contribute to alleviating the problem:

- Decrease the main oxidizer valve (MOV) valve schedule; i.e., do not throttle the valve area to a low value during MPL operation.
- 2) Reshape the OPV valve area to compensate for the highflow gain at MPL by decreasing the effective incremental area change.

3) Decrease the slew capability of the OPV valve servoactuator. The current system has a 305%/second maximum capability. The maximum rate needed is 150%/second during the start range.

Discussion -- Recent servoactuator failure mode studies indicate a potential engine system failure condition exists in the oxygen preburner system. The apparent cause of the failure is the excessive servoactuator slew capability and high control effectiveness, particularly at minimum power level (MPL), of the oxide preburner propellant valve (OPV).

Referring to Figure 16, failures at low engine thrust level in the OPV valve (1 and 4) cannot be switched out quickly enough to avoid a shutdown through the preburner temperature engine limit parameter. More significant is the fact that this shutdown would occur after the preburner had operated at excessive temperature (above 5000°R). The total time duration at the high temperature cannot be determined on our current simulation. The final temperature value and slew rate are high enough to effectively place our simulations out of range in a very short (20 to 40 milliseconds) time period. The engine shutdown criteria requires 500 milliseconds overtemperature prior to shutdown. Honeywell simulations currently are not set up to simulate 5000°R temperatures for a 500-millisecond real-time operation. In any event, it is doubtful that the engine could survive the excessive preburner temperature indicated.

Figure 17 is a set of open-loop engine data which was taken in an attempt to bracket the magnitude of the problem. The data were generated at minimum power level with the fuel preburner valve position fixed and the oxygen preburner valve position stepped in an open-loop mode. The first two runs were made with the MOV valve operating from the control law schedules through a first-order lag. The third trace was made with the MOV valve held open at 100 percent.



Figure 16. OPV Servoactuator Failures at MPL (Engine Sensitivity)



12(XX)OPOV INCREASE
MOV Per Schedule Open-Loop OPOV Steps at MPL Figure 17. (Engine Sensitivity)

27 (%) OPOV INCREASE
MOV Per Schedule

4% (XX) OPOV INCREASE MOV AT 100%

W2101-QPR-3-73

The first trace indicates that the current engine definitions can tolerate a 1 percent open-loop increase in actuator position at minimum power level. The second trace shows the oxygen preburner temperature spiking over 3000°R for a 2 percent increase in OPV valve position. Trace number three indicates that holding the main oxide valve fully open at MPL allows the oxygen preburner valve to step 4 percent without exceeding the 2000°R nominal engine shutdown limit.

Considering a failure in the OPV actuator system with its current 300%/second slew rate coupled with the above data indicating a 2 percent step is the upper bound in open-loop operation of the preburner. The following monitor reaction time can be calculated:

Required reaction time = 2%/300%/second = 6.6 milliseconds.

This reaction time of 6.6 milliseconds is roughly 50 percent of the required 12 milliseconds needed for the operation of the fail operational solenoids, and does not leave any time for monitor and software processing. From the above, it is evident that at best a potential system single point failure exists and at worst it may result in significant engine damage.

Reviewing the above data and the general characteristics of the engine and actuator definitions, the following conclusions can be reached:

1) The main oxidizer valve throttling increases the preburner propellant valve sensitivity by increasing the pressure drop across the preburner valves at minimum power level.

Relief for this problem can be obtained by: a) decrease the MOV throttling at low thrust levels; that is, do not close the MOV valve area as far for minimum thrust; and b) decrease the effective flow gain of the propellant valve possibly by shaping the valve area for the low thrust engine conditions.

2) The excessive servoactuator rates during failure conditions coupled with the high-control effectiveness of the OPV valve contribute to the failsafe problems. This high-rate capability of a failed system adds significantly to the severity of the engine disturbance during failures. A partial "fix" of the problem may be to incorporate electronic slew limiting in the servoamplifier. Such limiting would restrict the high slew rates associated with RVDT and summing circuit failures but would not cover the failures in the servosystem hydromechanical hardware or the slew limiting electronics.

The time histories contained in Figure 16 are separated into two sets. Each strip in a set has a number which identifies the particular failure type. These failure types are:

- 1) Servovalve step hang-up, less than error action level (EAL) of the analog monitor, positions actuator so that propellant valve tends to open.
- 2) Same as 1 except that propellant valve tends to close.
- 3) RVDT output goes to maximum value.
- 4) RVDT output goes to minimum value.

The eight parameters in the set at the left, starting at the top of the figures, are:

1 and 2 - The differential errors (DE) the analog monitor sees in Channel A and B. This is the differential sum of the servovalve and its model. When the sum equals or exceeds the monitor EAL, currently set a 50 percent of spool travel, for at least two milliseconds, the analog monitor sends an interrupt to the computer.

- 3 and 4 The differential errors the computer generates by comparing the computed actuator position with each RVDT displayed position. When either of these equals or exceeds the tracking EAL, currently set 5 percent equivalent actuator displacement, the computer enters 200 hertz cycling to test the indicated failure.
- 5 and 6 Discretes that indicate completion of switchout of faulty A channel, or recognizing (or switchout of) faulty B channel.
- A discrete that indicates the completion of switchout of a second failure and putting engine into pneumatic shutdown.
- 8 Engine thrust.

The parameters in the set at the right, starting at the top of the figures, are:

- 1) Preburner temperature, "fuel-side" of engine
- 2) Preburner temperature, "oxidizer-side" of engine
- 3) Shaft speed, high pressure fuel turbopump
- 4) Shaft speed, high pressure oxidizer turbopump
- 5) Main combustion chamber pressure
- 6) System thrust error
- 7) System mixture ratio error
- 8) Engine thrust

## Engine Control Accuracy --

Summary -- The effects of engine sensitivity to preburner propellant valve motion and servoactuator system backlash were investigated on Honeywell simulations. The primary purpose of these studies was to detect any self-sustaining oscillations (limit cycles), in the engine/controller system, due to servoactuator backlash. The studies indicate no loop induced oscillation in the system but they also indicate that the engine sensitivity to valve motion at minimum power level is excessively high. The conclusions of the study are:

- 1) The total effective backlash of the servoactuator/propellant valve mechanization must be less than ±0.5 percent with the current propellant valve area versus position definitions.

  This tolerance provides no design margin for inaccuracy in system design or description.
- 2) "Adequate" system design margin requires a factor of 4 to 5 reduction in engine sensitivity to preburner propellant valve motion at minimum power level.

It should be noted that these studies do not include the addition of stiction as specified in RL00001 Revision E, Amendment 3. This stiction will tend to aggravate the valve sensitivity problem.

Results -- Engine sensitivity to propellant valve motion was obtained from the hybrid simulation. Step commands of  $\pm 0.5$  MR units and  $\pm 24,000$  lbs of thrust were used to determine the differential valve displacements required to reach these commanded values. The sensitivities are as follows:

| Valve | Power Settings | Response/% Displacement |
|-------|----------------|-------------------------|
| OPV   | NPL            | 12,000 lbs/% Stroke     |
| OPV   | MPL            | 24,000 lbs/% Stroke     |
| FPV   | NPL            | 0.125 MR Units/% Stroke |
| FPV   | $\mathtt{MPL}$ | 0.4 MR Units/% Stroke   |

The figures indicate a high degree of MR sensitivity to FPV movement, especially at MPL.

- Figure 18. MR Step Responses with 0.5 percent Backlash The responses to MR step commands from 6.0 to 6.5 MRU and back at NPL and MPL are shown in Figure 18 for linkage backlash of 0.5% in both MR and thrust control loops. The error tends to hang off at 0.05 MRU for some time while the controller moves the linkage across the dead zone. Specification requirements of 1% (0.065 MRU) error within 3 seconds are met with this backlash level.
- Figure 19. MR Step Responses with 1.0 percent Backlash Figure 19 shows responses to MR step commands of 0.5 MRU at NPL and MPL with linkage backlash of 1%. There is considerable overshoot (30%) and hang off evident in the error traces. It appears that the specification on MR control could just be met with this much backlash but there is little if any margin on the time requirement.
- Figure 20. MR Step Response with Reduced Valve Effectiveness The gain of the control valves was reduced by a factor
  of 5 and the controller gains were increased by 5
  maintaining constant loop gain while simulating less
  sensitive valves. The results of this change are



Figure 18. MR Step Response with 0.5 Percent Backlash



Figure 19. MR Step Response with 1.0 Percent Backlash

Figure 20. MR Step Response with 1.0 Percent Backlash - Valves 1/5 Nominal Gain

shown in Figure 20 where the run shown in Figure 19 was repeated but with less effective valves. The differences in overshoot and hang off are apparent.

- Figure 21. Thrust Step Response with 1 percent Backlash System responses to thrust step commands of 24,000 lbs are shown in Figure 21 for linkage backlash valves of 1%. The spec requirement of "less than 6000 lb thrust error within 1 second" is marginally met at NPL and is exceeded at MPL.
- Figure 22. Thrust Step Response with Reduced Valve Effectiveness Figure 22 is a repeat of the run made in Figure 21 except that valve effectiveness is reduced by a factor of 5. Loop gains are the same. The improvement in thrust response is very evident; the thrust control loop is now well within spec.

Discussion -- The above results indicate that the system's ability to meet accuracy requirements with the current valve actuator system definition is marginal. Specifically, the fuel preburner valve has a control gain of 0.4 mixture ratio units per percent valve travel at minimum power level. This would require a steady state allowable motion of the valve to be less than 0.25 percent of total travel to maintain a 0.1 mixture ratio error band. The current estimated deadband in the system is 0.6 percent which means the required steady-state position-keeping requirements of the system are less than the uncontrollable slack in the mechanism.

In a like manner the  $\pm 6000$ -lb thrust precision requirement requires a steady-state actuator resolution of 0.5 percent if all of the allowable error tolerance was used up by the actuating system.



Figure 21. Thrust Step Response with 1.0 Percent Backlash



Figure 22. Thrust Step Response with 1.0 Percent Backlash - Valves 1/5 Nominal Gain

The above-noted marginal operation against specification indicates that the engine sensitivity to propellant valve motion at minimum power level should be reduced by a factor of at least 4 to 1. This is required to obtain adequate design margin on system and servoactuator performance.

Please note that the above analysis and evaluation is based upon servosystem definitions which do not include the effects of propellant valve inertias, loading or stiction. Some relief from the above-mentioned problems may be available if the valve loading effects are large enough to keep the actuator linkage loaded in one direction at all times. This would minimize backlash in the system. The gains obtained due to loading, however, may be obviated by the spring mass system represented by the propellant valve ball inertia and associated wrapup in the valve stem. The stiction effects relating to this particular problem are difficult to evaluate without including the above mentioned inertias, spring rates and valve loading.

An evaluation of the above system mechanization is beyond the scope of Honeywell's current analysis effort.

Off-Nominal Slewing -- The analytical digital program has been updated to include the "Tepee" MR command limiting shown below:





Figure 23. Thrust Range Response at Off - Nominal MR Command Levels

Controller ramp responses at MR command levels of 5.5 and 6.5 are shown in Figure 23. It appears that there is a tendency toward oscillatory response at maximum allowable MR levels, between EPL and NPL (Figure 23B). Gain and phase margins have not been checked at this operating point, but if further investigation reveals low phase margin, changes in the digital controller may be required to prevent limit cycles when linkage backlash is included in the control loop.

### Design Verification Program

The following test procedures were prepared and submitted to Rocketdyne during the reporting period:

|   | Title                                                                | Procedure |
|---|----------------------------------------------------------------------|-----------|
| ₽ | Printed-Wiring Board Screening (Addendum)                            | 002-P     |
| • | Crystal Oscillator (Rev. B)                                          | 004-P     |
| • | Pulse Rate Converter (Rev. B)                                        | 009-P     |
| • | Pulse Rate Converter EMI                                             | 010-P     |
| • | On/Off Valve Driver EMI                                              | 012-P     |
| • | Servovalve Driver/RVDT Demod                                         | 013-P     |
| • | Gate Driver/Sample and Hold (Rev. B)                                 | 014-P     |
| • | Logic Sequence and Shutdown, Rev. A                                  | 015-P     |
| • | Longitudinal Vibration Channel<br>Electromagnetic Interference (EMI) | 021-P     |
| • | Voltage Reference (I/O), Rev. A                                      | 023-P     |
| • | Servovalve Model/Spool<br>Demod/Comparator                           | 026-P     |
| e | Recorder Data Converter                                              | 027-P     |

| l         | Title                                               | Procedure      |
|-----------|-----------------------------------------------------|----------------|
| ø (       | Guidance and Control Data Converter                 | 028 <b>-</b> P |
| •         | Data Bus Interface                                  | 029-P          |
| •         | D/A Converter Rev. A                                | 031-P          |
| •         | Gate Driver/Sample and Hold EMI                     | 032-P          |
| • 7       | Word Current Generator Rev. A                       | 035-P          |
| •         | Power Conditioner                                   | 051-P          |
| • 5       | Strobe Timing Generator                             | 052-P          |
| Testing w | vas completed on the following breadboard circuits: |                |
| • :       | Printed wiring board screening                      | 002-P          |
| •         | Pulse rate converter                                | 009-P          |
| •         | Pulse rate converter EMI                            | 010-P          |
| •         | On/off valve driver                                 | 011-P          |
| •         | Gate driver/sample and hold                         | 014-P          |
| • ]       | Low-level multiplexer and amplifier                 | 016-P          |
| • ]       | LVDT power supply/demod driver                      | 019-P          |
| •         | Longitudinal vibration monitor                      | 020-P          |
| •         | Voltage reference (I/O)                             | 023-P          |
| • ]       | Recorder converter                                  | 027-P          |
| • (       | Guidance and control (G&C) converter                | 028-P          |
| • ]       | Data bus interface                                  | 029-P          |
| •         | 30 foot cable drive                                 | 034-P          |
| • 3       | Structural test section, thermal                    | 036-P          |

Testing was also started and was in process at the end of the period:

| ø | Servovalve driver RVDT                               | 013-P |
|---|------------------------------------------------------|-------|
| • | Servovalve modulator/spool<br>demodulator/comparator | 026-P |
| • | EEE piece parts thermal*                             | 103-P |
| • | EEE piece parts vibration*                           | 104-P |

<sup>\*</sup>No new tests to be initiated, existing tests to be completed.

The following test reports were submitted:

| Report     | Test                                        | Procedure      | Transmittal<br>Letter |
|------------|---------------------------------------------|----------------|-----------------------|
| AEX-73-147 | Logic Sequence and Shutdown                 | 015-P          | 06-771-73             |
| AEX-73-031 | Igniter Monitor                             | 018-P          | 07-902-73             |
| DVS TR 001 | 30 Foot Cable Drive                         | 034 <b>-</b> P | 07-868-73             |
| AEX-73-034 | Low-Level Multiplexer and Amplifier         | 016 <b>-</b> P | 07-928-73             |
| AEX-73-027 | Radial Vibration Channel                    | 022-P          | 07-913-73             |
| AEX-73-047 | Data Bus Interface (68-Ohm<br>Cable)        | 029-P          | 08-932-73             |
| AEX-73-042 | Pulse Rate Converter (Rev. A                | ) 009-P        | 09-1037-73            |
| AEX-73-038 | Input Electronics Reference<br>Power Supply | 023-P          | 08-999-73             |
| AEX-73-033 | Gate Driver/Sample and Hold                 | 014-P          | 08-1000-73            |
| AEX-73-040 | LVDT Power Supply/<br>Demodulator Driver    | 019-P          | 08-1013-73            |
| AEX-73-066 | Guidance and Control (G&C)<br>Converter     | 028-P          | 09-1077-73            |
| AEX-73-048 | Structural Test Thermal<br>Section          | 036-P          | 09-1034-73            |
|            | W2101-QPR-3-73                              |                |                       |

#### HARDWARE DESIGN

# Computer Interface Electronics (CIE)

All computer interface electronics circuit design effort has been completed. Effort remaining includes supporting drafting in the preparation of the last printed wiring board drawings, completing the engineering model and production prototype model documentation, and supporting system testing.

Two sets of engineering model CIE cards, one set for EM-1 and the other for BT-1, were built and evaluated against their card ESs. In addition, one set of cards, for EM-1, was further evaluated as a complete functional sub-assembly, interfaced with the two engineering model digital computers, and subsequently put into full system functional testing (see Engineering Model).

One half of the second set of cards, for BT-1, have been evaluated as a nonredundant functional subassembly and also were interfaced with the digital computer of EM-1. No problems were encountered. The remaining half set will be evaluated in September.

Seven of the eight data packages for the production prototype CIE printed wiring board designs have been released. The release of the eighth printed wiring board data package, representing two of the 15 boards used in the controller, is scheduled for mid-September.

A 68-ohm data bus study was performed. The results of this study showed that the current design (150 ohm) can be modified to the 68-ohm configurations and still maintain a minimum of 5 volts at the receiving end of a 250-foot section of transmission line (transmission line supplied by Rocketdyne). Honeywell has been given direction to incorporate the 68-ohm data bus.

### Input Electronics

During the reporting period the release of all documentation pertaining to the build and test of the Engineering Model (EM-1) cards and subassembly was completed. Similar documentation for PP-1 system is in process of release.

A major effort during this period was the support of EM-1 card and subsystem testing and analysis of the results. Design changes were initiated where analysis indicated they were necessary.

Low-Level Analog Input Channel -- A single-point failure mode causing two sets of input data to be lost was discovered in the temperature and pressure multiplexing circuits. A shorted multiplex switch in the Channel C input would cause loss of both the Channel C input data and either the Channel A or Channel B data in which the Channel C data were being processed.

To correct this situation, Channel C multiplex switches were connected in series with the appropriate Channel A or Channel B switches, requiring two failures before loss of two input data lines would be experienced. DCU output control pulses are used to verify capability of both switches to open and close.

At the request of Rocketdyne, this change was incorporated in the DVS breadboard and the procedure revised. DVS tests on this circuit were completed during this quarter and reports submitted. Test results were satisfactory.

<u>Pulse Rate Converter</u> -- The DVS test of the pulse rate converter circuit and an EMI DVS test on this circuit were completed during this quarter. Test reports were transmitted to Rocketdyne.

System tests on the EM-1 Controller indicated that noise present on long input lines is detrimental to the operation of this circuit. As a fix, a small capacitor (0.01  $\mu$ f) was added across the input of each converter circuit. This fix will also be incorporated into the production (PP1) configuration.

A/D Converter -- Development testing of the analog-to-digital (A/D) converter breadboard is complete. The "speedup" fixes have been incorporated into the design and the circuit meets the Honeywell-specified maximum conversion time requirement.

Comments to the DVS procedure were received from Rocketdyne. A revised procedure was resubmitted. Design verification testing will begin as soon as the DVS is approved.

### Vibration Electronics --

Radial Vibration Monitor -- Design and development of this circuit is complete. Changes indicated necessary by the results of DVS tests completed in the previous quarter have been incorporated in the Engineering and Production designs.

Longitudinal Vibration Monitor -- Design and development is complete following successful completion of DVS tests. The test report is written and will be submitted to Rocketdyne within 2 weeks.

Two changes to RC1007 received from Rocketdyne (SCN 032 and SCN 033) adequately define corner frequencies and tests to be performed during ground checkout.

<u>Input/Output Reference Power Supply</u> -- DVS tests on this circuit were completed during this quarter.

An acceptable method to eliminate the absolute references in the input electronics was found and incorporated into the design. This design change has no effect on the validity of the DVS tests completed.

Crystal Oscillator Design -- Developmental tests on the two crystal oscillator designs were completed. One circuit displayed a superior starting characteristic and was selected for use throughout the controller. A schematic of the circuit selected is shown in Figure 24.



Y1 - - CRYSTAL, 12.000 MHz  $\pm$  70 PPM OVER A TEMPERATURE RANGE OF -55° TO +105°C

Figure 24. Preferred Crystal Oscillator Circuit

## Output Electronics

During this reporting period the release of all documentation pertaining to the build and test of the Engineering Model (EM-1) cards and subassembly was completed. Similar documentation for the PP-1 system is in process of release.

The major effort during this reporting period was the support of EM-1 card and subsystem testing and analysis of the results. Design changes were implemented where analysis indicated they were necessary.

On/Off Valve Driver -- DVS testing of this building block was completed. All test requirements were met except that the pneumatic valve holding current was approximately 0.79 amp at high temperature instead of 0.75 amp. This occurred when the energizing voltage was 39.6 volts. The nominal voltage is 36.0 vdc. It is presently planned that this will be discussed during the 19 September coordination meeting.

Igniter Power Regulator -- The decision was made to include this circuit within the controller power supply electronics.

<u>Servovalve Driver/RVDT Demod</u> -- DVS testing of this building block is in process and results to date appear satisfactory.

<u>Servovalve Model/Spool Demod/Comparator</u> -- DVS testing of this building block is also underway and progressing satisfactorily.

<u>LVDT Power Supply</u> -- DVS testing of the LVDT power supply was completed with satisfactory results.

<u>D/A Converter</u> -- A revised DVS test procedure was submitted incorporating comments received from Rocketdyne. DVS testing will start as soon as the revised procedure is approved.

## Power Supply Electronics

In-depth electrical testing of the breadboard model of the power supply electronics (PSE) was conducted during this report period.

Closed-loop operation of the pulse width modulator for the voltage regulator control loop was satisfactorily demonstrated. Transient response testing of the primary (+5 volt dc) regulated output voltage of the power supply showed quick recovery and a well-behaved response for step changes in the load impedances.

A number of improvements and design simplifications were accomplished as a result of the PSE breadboard testing. These improvements include:

- Optimization of the speed of response to transients by means of a simplified voltage feedback and control loop.
- Elimination of the filter inductor in the d-c power input path. Less than 5-volt peak-to-peak ripple is present on the 267-vdc output when it is derived from a 3-phase a-c full-wave bridge rectifier and filtered by a 20-μf capacitor.
- Demonstration of the ability of transistor base circuit charge control to provide instantaneous and rapid turn off of the dc/ac converter power transistors with and without collector current loading. This was a major design goal for proper power-up and operation of the power supply.
- Power transformer design improvements derived from magnetic parameter testing and aimed at keeping the power transistors' (dynamic) operating load lines (collector voltage versus collector currents) within the safe instantaneous values as delineated by the power transistor manufacturer.
- e Reduction in the number of integration inductors from 2 to 1 in the +5 volt regulated output for each channel. This simplification in the integrator design resulted in a weight reduction of 4.0 lb and a volume recovery of 30 cubic inches.

PSE Block Diagram -- A partial PSE simplified block diagram is shown in Figure 25. The design simplifications reported above are included in this updated block diagram.

Figure 25. Partial Block Diagram of Power Supply Circuitry

Power Supply Packaging Status -- A prototype power supply heat sink and housing assembly for the PSE channel has been fabricated in the Tech Lab. This engineering model prototype power supply will verify the mechanical, thermal, magnetic and electrical characteristics of the production design. It will also be used for EMI development and DVS testing.

# Engineering Model (EM)

Primary emphasis during this period was concentrated on EM-1 and BT-1 fabrication and EM-1 evaluation. A third chassis, EM-1A, scheduled for nonredundant engineering model checkout, was eliminated to reduce costs.

The EM-1 controller has been in system test since early August although it has not been completed in two areas. The main power supply has been substituted with commercial power supplies as the main power supply development is lagging the remaining portions of the system. The power supply is scheduled to be available in November. Also not completed is the wiring to the four controller GSE connectors as there was a change in connector types and new connectors were ordered. The GSE connector wiring is scheduled for completion in September. The 43 stitch wiring cards and two metal boards containing the input, computer interface, and output electronics circuits will be upgraded as the long lead time precision components (resistors + capacitors) become available.

The system functional test phase is on schedule and no major design deficiencies have been uncovered.

Figure 26 shows the EM-1 controller. The BT-1 controller will be identical to EM-1.



Figure 26. Engineering Model Controller

The BT-1 controller is scheduled for system test in November - less the main power supply and one of the two digital computer units. The BT-1 cabinet has been completed with the exception of the four GSE connector wiring, and has been used as a test bed for both EM-1 and BT-1 cards. All but five BT-1 stitch wiring cards have been fabricated and evaluated against their card documentation. The remaining five are waiting for parts.

BT-1 functional subassembly testing is progressing; the nonredundant CIE functional subassembly testing has been completed (eight cards). The remaining CIE functional subassembly testing will be completed in September. Output electronics and input electronics functional subassembly testing will be completed in October. The main power supply will be available for BT-1 in mid-December.

# Simulation Interface Adapter (SIA)

The SIA signal conditions all controller input and output signals, with the exception of the data bus, for use in Honeywell's hybrid computer facility. All the circuits providing this signal conditioning are housed in a single cabinet, Figure 27.

The SIA is in test where it is being verified against its specifications -- all components being previously checked out and calibrated. This verification will be complete on 1 October at which time it will be available for system test.



Figure 27. Simulation Interface Adapter

## Controller Mechanical Design

An overview of the controller mechanical design was presented to the Honeywell Design Review Committee. A design critique was obtained from the committee and a Design Review Report is being prepared.

The structural thermal model (STM) case walls and covers shown in Figures 28 and 29 were tooled, machined, and successfully processed through inspection. The STM configuration incorporates the reduced number (from 6 to 4) of ground support equipment connectors, relocation of the J-12 power connector from the outboard cover to the end wall adjacent to J-7 and J-8, and the revised flange bolt pattern. All piece parts for the STM were also completed and subassembly work was started. A potential problem is the delay in delivery of circuit board connectors and master interconnect board (MIB) contacts.

Drawings for five PP-1 printed-wiring board assemblies were completed and released for procurement. PP-1 MIB piece-part drawings were also released and fabrication was started. The MIB assembly drawings are nearly complete and are dependent upon the internal cabling design. Cabling layout was slowed due to the limited space in the outboard-to-inboard case interface.

Fabrication was completed on the mold for the foam grid to be used in the foam-pack assemblies, and pilot molding was begun. A test foam-pack assembly is shown in Figures 30 and 31.



Figure 28. Controller Case Inboard, Outboard and Cover Assemblies



Figure 29. Controller Case



Figure 30. Circuit Board and Grids



Figure 31. Circuit Boards and Foam Pack Parts for Structural Model DVS Tests

# Digital Computer Unit

Memory Timing --Memory timing and control required additional buffering and was accomplished with two additional circuits. This required 11 additional 4.7 µfd capacitors to reduce decoupling noise from 90 mv to 75 mv on the 10.7-vdc line and also accept a 2.6-amp digit load. The impact on the power conditioner requirement of meeting a 2 ms operating level after turn-on was acceptable as defined for nominal case.

Power Conditioner -- A design change was incorporated into the power conditioner logic to assure a minimum of 1 ms delay after PRIO interrupt before the 5-vdc supply was back within operating parameters.

The power regulators +10.7 vdc, +8.0 vdc were breadboarded and tested over the worst-case operational limits and perform well within specifications. The use of Vishay resistors in the power conditioner board was presented to NASA/Rocketdyne on 26 August 1973. It was necessary to establish the need for these precision resistors and obtain concurrence that Vishay would be acknowledged as the source for these components. General satisfaction was expressed and followup was required to incorporate additional requirements into the procurement specification as specified by GAPD.

Master Interconnect Board -- A specification was issued to GAPD defining the mechanical and electrical interface requirements for the DCU. Extensive interface was necessary between GAPD/Aero to resolve the power bus for design to assure minimum EMI interference. Power and ground pins from the power buses were arranged such that all electronics board assembly connectors receive power through identical pin numbers to facilitate maintainability, testing and troubleshooting.

Software Design -- The acceptance test program for the DCU, DS24530-01 Part I, was submitted last quarter to R/D. The Part II specification

preliminary issue was submitted to GAPD and R/D on 14 August. Preliminary flow diagrams were included. Final copy is scheduled to GAPD on 20 September with final listings to be delivered 1 December 1973.

<u>Documentation Release</u> -- Approximately 80 percent of the DCU documentation is released. The major subassembly drawings and four printed wiring board artwork details are yet to be released. A target for all released hardware documentation is planned by mid-October.

Five of the seven central processor board artworks are released. The timing and control processor board is planned for release on 26 September. This will complete the processor hardware drawing set.

Memory subsystem documentation released includes the memory plane artwork, substrate drawings, memory board assembly drawings, word electronic artwork and memory sense/digit artwork. The remaining three boards will be released in mid-September.

Power conditioner board design artwork release slipped because of a design change in voltage sequencing requirements. A minimum impact to artwork is anticipated and expected release date is 30 September 1973. This board does not impact unit delivery schedule.

Hardware design definition on foam packs is in final stages. Information will be submitted to GAPD for use in hardware design and build.

MIB interface drawings are completed and information transmitted in a requirement specification to GAPD.

#### GSE/FTE DESIGN

The Preliminary Design Review (PDR), with Rocketdyne and NASA representatives in attendance, was completed on July 31-August 1, 1973. Agreement was reached regarding all GSE requirements and implementation. Since the PDR, the GSE/FTE design effort has proceeded in all areas, and activity is shifting from design and drafting to support of part procurement, fabrication, assembly, and checkout. The design status for each end item is summarized below and the hardware build status is presented in Section III.

# Command and Data Simulator (C&DS)

The C&DS hardware detailed design is basically completed and the engineering drawings are nearing completion. DS24682-01 has been updated to incorporate the changes agreed upon at PDR. Executive software programming is currently underway with several sections coded and assembled. Debug of the executive sections or routines is being accomplished on alternate work shifts with the hardware checkout on the in-house C&DS.

The initial goal is to have the executive software sufficiently complete and debugged to render the in-house C&DS usable for system integration tests with the EM-1 controller model on 1 October 1973.

# Controller Memory Programmer

All work has been suspended in compliance with Rocketdyne Stop-Work order RDM-CA3-400 dated August 29, 1973. At that time, the DVS test on the 30-foot interface cable had been successfully completed, the detail design was nearing completion and a major portion of the piece parts for the Programmer had been ordered.

### Controller Checkout Console (CCC)

The initial hardware design is completed and minor revisions are being incorporated as a result of debug tests being performed on the controller acceptance test procedure (ATP).

#### Factory Test Equipment (FTE)

The FTE design is proceeding as required to support production of the PP-1 controller and beyond. Designs of the manual card station, card burn-in station, and the controller adapter have progressed significantly and manufacturing is in process. The controller adapter design is being kept current with the performance experience derived from checkout of the first CCC and the preliminary controller ATP.

The subassembly adapter design is partially complete with current effort concentrating on the master interconnect board (MIB) holding fixture. The final electrical interface design will be completed upon release of the MIB wiring tests.

The interconnect cables required to interface the in-board and out-board master interconnect boards (MIBs) of the controller to the Production DIT-MCO machine have been defined and are on order. The DIT-MCO machine is a capital piece of equipment which will be used to perform continuity and insulation resistance checks on the complete stitch-wired MIBs.

Design of the card test software and adapters is proceeding in accordance with the card engineering data releases and production schedules for the PP-1 controller. The adapters are required to interface each card to either the manual card station or to the ATE station.

## SOFTWARE DESIGN

# Memory Size and Process Time

The memory size and process time estimates for the operational program were revised, based on the detail flow charts provided in the operational program engineering specifications (ES 24622 dash numbers 01 through 11). The revised estimates for the flight program and checkout modules are:

| Function                               | Memory                      | Process Time       |
|----------------------------------------|-----------------------------|--------------------|
| Flight Program                         | 10,314 words                | 16.56 milliseconds |
| Flight Readiness Test Module           | 575 words                   | 1.776 milliseconds |
| Actuator Component Checkout<br>Module  | 955 words                   | **                 |
| Pneumatic Component Checkout<br>Module | 435 words                   | **                 |
| Sensor Checkout Module                 | 785 words                   | **                 |
| Redundancy Verification Module         | 350 words                   | **                 |
| TOTALS                                 | 11,269 <sup>(1)</sup> words | 18.34 milliseconds |

<sup>(1)</sup> Worst case with actuator component checkout module in memory.
\*\* Not used during mainstage control.

The process time estimate exceeds the specification limit of 15.4 msec. However, this problem does not require immediate resolution. The estimates are based on a software design which is optimized for minimum memory. A review of this design will be made in the next quarter to seek more efficient algorithms and to determine if more conservative use of subroutines would decrease the process time. Honeywell will also review the self-test requirements to assure that all identified tests are required every major cycle.

Honeywell will identify requirements which are process time drivers and work with Rocketdyne to determine if changes can be made to reduce the process time. Finally, if more efficient programming and requirements modifications do not alleviate the problem, Honeywell analysis has shown that the cycle time could be increased to 25 or 30 milliseconds. However, a change in the cycle time is not recommended at the present time. A history of the memory size and process time is shown in Figures 32 and 33.

#### Operational Program Requirements

Revision B to the Operational Program Part 1 specification, based on RC 1010C Amendment 2 requirements, was released. This specification was transmitted to Rocketdyne for review and comments via Honeywell Letter No. 7-852-73.

Revision C to the Operational Program Part 1 specification is 50 percent complete. This revision will reflect RC 1010D. The completion date for this specification is being slipped to accomplish high-priority tasks. The expected completion date is now late November.

## Operational Program Design

A complete baseline design in the form of 11 engineering specifications (ES 24622 dash numbers 01 through 11) has been released. Each of these specifications contains a description of a computer program component (CPC) in terms of data descriptions, flow charts, and subroutine descriptions. Information copies of released specifications are sent to Rocketdyne per DR 55-E-024.



Figure 32. Operational Program Memory Size Requirements



Figure 33. Operational Program Process Time Requirements

# Controller Acceptance Test (CATP) Program Requirements

The CATP Part 1 specification was released and sent to Rocketdyne for approval per DR 55-C-009.

# Controller Acceptance Test Program Design

The CATP Part 2 and Addendum specifications are 50 percent complete. With the release of the CATP Part 1, these specifications can be completed and will be sent to Rocketdyne in accordance with a schedule coordinated with Rocketdyne personnel.

The CATP Program is 80 percent coded and is being debugged on the 516 and engineering model controller. Debug is 30 percent complete.

# Computer Acceptance Test Program (CMTP)

A preliminary Part 2 specification for the CMTP was transmitted to Rocketdyne via CEL 3-SSEC-230.

Rocketdyne and Honeywell have resolved most of the points in question on the CMTP Part 1 specification. This document will be revised to incorporate the agreed changes during the next quarter.

The CMTP code has been updated to incorporate a parity test, improved memory pattern tests, and the input/output tests. The program is 90 percent coded and debugged.

#### PRECEDING PAGE BLANK NOT FILMED

- 87 -

# SECTION III MANUFACTURING

#### CONTROLLER

### Activation Schedule

The milestone and activation schedule (Figure 34) has been updated to reflect the impact of delayed Input/Output Assembly printed circuit card releases (-7 weeks) and delayed DCU deliveries (-10 weeks). This implies a corresponding delay in PP-1 delivery which must be dealt with insofar as possible with work-around and schedule recovery techniques.

Tentative layouts for the production areas have been made and approval for funding the St. Louis Park facility has been requested. 1973 capital equipment requests have been submitted for approval. Vendor tooling and card tool ordering has started and will continue as design definition and print releases progress. Approval of all special-purpose tooling items in excess of \$1,000 each is being requested from Rocketdyne as the individual tools become identified. Training of Shuttle personnel for hi-rel handling has started.

#### Production Control/Flow Charts

The line-of-balance chart (Figure 35) for fabricating the PP-1 model identifies the parallel time phase relationships for chassis, card assemblies, DCU, and controller assembly. Material orders are being placed as definition is received from Design Engineering. The chart reflects the current status including the projected impact of the delayed printed circuit card releases.



Figure 34. Combined Milestone Chart for Activation Schedule for Delivery of PP-1 Model



Figure 35. Line-of-Balance Chart for Fabrication of PP-1 Model

#### Milestone Chart

The milestones in the previous report for the June 1973 through September 1973 period identifying material pricing updates, material ordering, tooling, and process development were updated to reflect the current impact of delays in printed circuit card releases.

Continuing Design support and Customer support by Manufacturing personnel is shown by continuous bars. All Design and Customer requests for cost estimates were completed. Production supported Design in the development and packaging process. Manufacturing inputs to the Management Information and Reporting System reflecting current financial expenditure plans were updated. Production Engineering investigation of soldering techniques continued. Fabrication of the chassis for PP-1 and two EM controller assemblies has started.

The milestones for the September 1973 through January 1974 period will require continuing Design and Customer support from Production. The third cost analysis of the currently-designed controller assembly configuration was completed in July. Material ordering will continue as planned. Development of processes and tooling is planned for the June through January period.

#### DIGITAL COMPUTER UNIT

#### Activation Schedule

The milestones and activation schedule are still addressed to delivery of PP-1 unit on 1 March 1974. A delay in delivery of 10 weeks is forecast and the subsystem integration and testing will be impacted by the delay. Procurement activity and multishift operation are those areas being exercised to reduce the delays.

Engineering Model EM-1 channel A and B were produced and delivered during this quarter. BT-1 channel A is scheduled for delivery 1 September 1973, however, the current schedule indicates delivery on 28 September.

Parts procurement for three prototype units is placed and those EEE parts with long-lead procurement are being identified with deviation request to meet the delivery schedule.

Special-purpose testing authorization was granted for the General Radio logic board tester and the unit was procured and delivered on 20 August to Aero.

SEM parts have been authorized for the six production units and orders are in process.

# Production

Production control schedules are in the process of being prepared from an overall master schedule into sublevel detail flow charts.

PP-1 build activity includes receipt of memory planes and substrates from the printed wire board supplier. The memory planes have been processed through keeper plating and the first lot yielded 100 percent (6 out of 6) to stock. Keeper plating has been a low yield process on past programs and the success to date on Shuttle is attributed to a smaller physical size of memory plane.

Board lamination will begin the end of September and half stack assembly is scheduled to start toward the end of October.

Flex cables are expected from the supplier in mid September with a probable delay in connectors for the flex cables from Cinch. An interim flex cable connector is being negotiated with Cinch that appears to be a favorable work around.

The connectors for the printed wiring circuit boards that plug into the MIB are on order with Cinch. Tooling estimates for these connectors plus fabrication are approximating 20 weeks delivery. This places the connector need date approximately 2 weeks beyond receipt of the first board. However, populating the board with components will utilize the time span and connectors can be assembled at the final station.

Part procurement from specific vendors present problems. Request for deviations have been submitted on 3 components and an additional 5 deviations are in process because of exceptions taken to specifications or excessive lead times that are projected beyond subassembly need dates.

A joint effort including personnel from NASA/Rocketdyne and Honeywell plan to visit Motorola to expedite delivery on sense amplifiers. Hi-Rel and SEM units are quoted at 50 weeks plus.

#### GSE. FTE

The first controller checkout console (CCC), shown in Figure 36, is completed and operational, except for the computer control unit (CCU) and the paper tape reader (PTR). The CCC has been used for checkout of EM-1 and BT-1 controller subassemblies and currently is being employed in system integration and checkout of EM-1. Revision's resulting from initial use of this CCC will be incorporated in all CCC's.



Figure 36. Controller Checkout Console

W2101-QPR-3-73

3

The second CCC has been assembled and checkout started. This unit is scheduled for use with the BT-1 controller and will be the unit that is eventually shipped to Rocketdyne.

The in-house command and data simulator (C&DS) shown in Figure 37 is assembled and an expedited effort is under way to complete checkout prior to the functional system completion date of 1 October 1973. Self-test software routines are being debugged simultaneously with the system hardware.

Production effort has started on the first deliverable C&DS. The unit to be delivered to Rocketdyne for use with the BT-1 controller is to be assembled and ready for hardware checkout by 1 December 1973.

Several items of FTE are in various stages of completion in accordance with their need in support of PP-1 production. Fabrication is in process for the controller adaptor which will be used to interface the production controller to the automated test equipment (ATE) for final checkout. The manual card station and card burn-in station are in assembly and will begin checkout by 1 October and 1 November 1973, respectively.

Two automatic test equipment (ATE) stations are being provided through capital funding for use by Controller Production. The first station (#8) is fully operational and the second (#9) is nearing completion of the digital interface unit checkout. The second station will then be upgraded with additional peripheral equipment which will enable it to function as a stand-alone station for use at the Stinson-Ridgway Plant. The stand-alone capability will enable this station to be used in final checkout of controllers independent of the central ATE system located in the St. Louis Park Plant.



Figure 37. Command and Data Simulator System

# RECEDING PAGE BLANK NOT FILMED

- 97 -

# SECTION IV QUALITY ASSURANCE

#### CONTROLLER

#### Accomplishments

Quality operating procedures, per DR 55-P-005, were submitted to Rocketdyne on 30 June 1973.

Inspection instructions for electronic parts were 90 percent completed during this period and will be ready as procured parts reach receiving inspection for the first buy for three units (PP1-PP2-NASA 1). The peak for receipts is expected about mid-October.

EM-1 card build and functional check is complete. BT-1 card build is complete and functional check is 90 percent complete.

QA participated in design reviews in the following areas:

- Input electronics
- Output electronics
- Computer interface electronics
- Mechanical design
- Power supply (50 percent)

QA also monitored the design verification testing reported in Section II. Eight failures were recorded during these tests. Five have been closed out, and the remainder are under investigation. The quarterly QA audit of Aero, Florida, quality system capability was performed in August by GAP QA personnel and no discrepancies were noted.

Precap visual on semiconductors was monitored on approximately 50 percent of orders, mostly at T.I. where Honeywell has a temporary quality representative assigned.

Requisitions were coded for quality requirements and orders were placed for machining of chassis and covers for the production prototype models.

## SIGNIFICANT PROBLEMS

A serious problem is anticipated in turn-around time for requests for deviation. The Honeywell understanding is that it may take 60 days, or longer, for the deviation request to be processed through Rocketdyne and NASA. Since this kind of delay will impact schedules it is to the interest of all concerned to plan ways of accelerating approval. This will be on the agenda for the September coordination meetings at Minneapolis.

#### HARDWARE, PROCESS, AND PROCUREMENT PLANS

Inspection instructions for board visual and functional checks on production prototype models will begin in September. This will include review and sign-off by QA of production layouts in order to insert quality check points where desired in the production operational sequences.

Post-award surveys of suppliers will be completed during the last quarter to bring Honeywell up to date on "EEE" vendor surveys, as required by the approved Quality Program Plan.

Additional quality operating procedures will be generated in the areas of:

- Control of GSE build and test
- Software control
- Acceptance data package

#### DIGITAL COMPUTER UNIT

Engineering Model EM-1 channels A and B were subjected to acceptance testing, and malfunctions and/or discrepant action was identified, reported and analyzed. The complete data package was shipped with the units to Minneapolis, as well as copies to the Quality Rocketdyne representative at Aero.

In-house audits were performed by Rocketdyne Quality personnel. Several discrepancies were observed, and changes in the procedures are being incorporated.

# PRECEDING PAGE BLANK NOT FILMED

# SECTION V RELIABILITY

#### CONTROLLER

# Test Monitoring

During design verification testing the following four malfunctions occurred in the pulse rate converter and were satisfactorily closed out: 1) a test instrumentation problem, resulting in an erroneous reading; 2) failure of an off-the-shelf part that is not representative of the parts that will be used in production models; 3) excessively tight specification tolerances which were relieved with Rocketdyne approval; 4) a high conducted EMI for which an adequate suppression circuit was devised.

Additional malfunctions occurred during DVS tests still in process. These are summarized under "Nonconformance Reporting."

# Design Reviews

A schedule was defined for conducting the Honeywell internal design reviews, and with the exception of the power supply and systems reviews, which have been rescheduled, the reviews proceeded as planned. Status of the six reviews is as follows:

- Computer interface electronics: Complete
- Input electronics: Complete
- Output electronics: Complete

- Power supply electronics: 40 percent complete; critique meetings yet to take place.
- System design: Board members selected, dates established
- Mechanical design: 95 percent complete; definition of action items required to finish.

The results of these reviews will be reported per Data Requirement 55-R-007.

### **FMECA**

The Controller FMECA Report (Document W2101-FMECA-2) was updated and submitted. Major update was required for all analysis worksheets because of design changes or because of better design definition. About 60 percent of worksheets were completely revised at this time.

The functional element level Failure Mode and Effects Analysis (FMEA) effort is continuing. The major objective of the initial phase of this FMEA is to identify potential design problems (single failure points, etc.). This phase is better than 50 percent complete.

The overall progress is as follows for all major functional components of the controller:

- Computer interface electronics Continuing, about 30 percent complete
- Output electronics Continuing
- Input electronics Continuing
- Power supply electronics Started
- Digital computer unit Continuing

The results of the DCU analysis were periodically reviewed to support the evaluation of the DCU self-test program (sample problem).

The functional element FMEA task was audited by representatives from both NASA and Rocketdyne. The FMEA work done was found to be satisfactory by both parties.

The FMECA for the GSE was initiated, and a preliminary report was issued on 31 July 1973. The PDR for the GSE was held at Honeywell GAPD 31 July 1973 and 1 August 1973, and was supported by Reliability. The GSE FMECA was made available for review at the GSE PDR.

# Nonconformance Reporting

Twenty malfunctions requiring nonconformance reporting occurred during the reporting period (including the four described under "Test Monitoring"). The cumulative status of nonconformance reporting is as follows:

- Cumulative number of reports issued 21
- Current number of reports open 9

# Parts Management

Tests were completed on bare Vishay resistor elements with no failures. Results were listed in Vishay Analysis Test Report No. 61370 which was given to Rocketdyne and NASA personnel at Vishay the week of July 30. As a result of the meeting at Vishay, Honeywell marked up prints to reflect certain agreed to changes, and these, with test data, were sent to NASA and Rocketdyne for review. Subsequent conversation with NASA personnel reflected their wants for additional requirements and tests. These items have not been resolved.

GAP reviewed comments to "Non-Preferred Part Specifications" which were received from Rocketdyne and NASA. In addition, comments to 33 Aero specifications were forwarded to Aero for their review. We have scheduled a combined NASA/Rocketdyne/Honeywell spec negotiation session at GAP the week of 17 September, and at Aero the week of 24 September. It is anticipated that all part specification differences will be resolved and the specifications approved.

A vendor negotiation team consisting of personnel from Honeywell, Rocketdyne and NASA was formed and the major integrated circuit vendors were visited during the time frame between 27 August and 14 September. Preliminary results indicate that, with certain spec changes which NASA has agreed to and with the possibility of being allowed to purchase in larger quantities, a considerable cost saving can be achieved. Final results will depend on NASA approval in both areas.

Reliability inputs were completed for all Part Application Reviews except for the Power Supply and for minor corrections and updates on several others.

#### Schedule

Reliability activities are running from 3 to 4 weeks behind the planned schedule. Functional level FMECA activity has been impeded by delays in parts releases and by the necessity to respond to a Rocketdyne request for a updated output level FMECA report.

#### DIGITAL COMPUTER UNIT

FMECA activity is in progress and is reviewed on a monthly basis with GAP. Both DCU and GSE analysis are in process. A specific area of

concern is to identify a positive check as to which of the two channels in the DCU is being loaded by the programmer during operation. An action item at the GSE PDR was assigned to Design to resolve the problem.

Test program (software) for the Engineering Model hardware were placed under a system of control with primary responsibility to Quality Assurance.

# PRICEDING PAGE BLANK NOT FILMED

- 107 -

# SECTION VI MAINTAINABILITY

The design of the controller assembly advanced sufficiently during this period to permit the completion of the preliminary Maintainability Analysis and Prediction Report.

#### MAINTAINABILITY ANALYSIS AND PREDICTION

The preliminary Maintainability and Analysis Prediction Report (DR 55-R-004) was completed and formally distributed on 15 June 1973.

#### MAINTAINABILITY VERIFICATION

Some preliminary planning for this task was performed in conjunction with the preparation of the maintainability analysis and prediction report.

#### SUPPORT HARDWARE RECOMMENDATIONS

A protective cover for the flange surfaces of each half of the controller was recommended for use during shipping and handling as separated halves. The requirements for tools to assemble and disassemble the controller in the factory were set forth.

# SECTION VII SYSTEM SAFETY

#### GENERAL STATUS

Safety monitoring of the controller and GSE designs continued, and the assembly area for this equipment was given a thorough safety inspection, with the imposition of safety housekeeping controls.

# QUANTITY OF CATASTROPHIC OR CRITICAL HAZARDOUS CONDITIONS

No catastrophic or critical hazards exist at this stage of the investigation.

#### HAZARDOUS CONDITION SUMMARY

All items previously listed as "Critical" in the Preliminary Hazard Analysis have been reduced to a "Controlled" status. Four items not given a criticality assessment are still being investigated.

#### ACCIDENT/INCIDENT REVIEW

No accidents or incidents occurred.

#### SYSTEM SAFETY HAZARDS ANALYSES

Four items listed in the Preliminary Hazard Analysis as critical were investigated further, and reduced to a "Controlled" status. Three items listed as being under investigation were further identified as being "Controlled" conditions.

#### SYSTEM SAFETY PLAN

Revision 4 to the System Safety Plan was issued 30 June 1973.

#### DESIGN REVIEWS

An informal safety design review was held with Rocketdyne at Honeywell-GAPD on 27 June 1973.

#### CHANGES WITH SAFETY-RELATED IMPACT

ROM for safety portion of controller "Shutdown Inhibit" modification was sent to Rocketdyne. The proposed logic change to memory programmer designed to prevent loading of DCU-1 program into DCU-2, and vice-versa was reviewed and approved.